Forum Discussion

AndOs's avatar
AndOs
Icon for Cirrostratus rankCirrostratus
Oct 09, 2017

AAA HTTP layered vip with ipv6 address

Hi!

I'm trying to create a layered vip with ipv6 to do https for an endpoint in a HTTP AAA server.

However I'm not having much luck getting it to work.

In /var/log/apm I'm getting error "Curl perform failed: Couldn't connect to server (7)"

My experience with ipv6 is limited so there might very well be something simple I have missed.

This is the config I'm using.

ltm node otpgateway.domain.com {
    address 62.132.21.215
}
ltm pool layered_aaa_proxy_pool {
    members {
        otpgateway.domain.com:https {
            address 62.132.21.215
        }
    }
}
ltm virtual layered_aaa_proxy_vip {
    destination fd6d:ec93:1c0a:beef::1000.http
    ip-protocol tcp
    pool layered_aaa_proxy_pool
    profiles {
        http { }
        serverssl {
            context serverside
        }
        tcp { }
    }
    source-address-translation {
        type automap
    }
}

apm aaa http otpgateway_layered_HTTP {
    auth-type custom-post
    content-type xml-utf8
    custom-body "<\?xml version=\"1.0\" encoding=\"UTF-8\" \?>........"
    form-action /OTPsend
    start-uri http://[fd6d:ec93:1c0a:beef::1000]
    success-match-type string
    success-match-value "200 OK"
}

Changing the address to a v4 works, but for various reasons it would be good if I could use a v6 address.

Should a v6 address work? Or are there any internal limitations for having an ipv6 address on this kind of layered approach?

Thanks!

/Andreas

APM
application delivery
LTM

2 Replies

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 09, 2017

    Hi, try with a hostname instead of IPv6 and configure this in hosts file (system / device / hosts).

     

  • Tom_Lauwereins_'s avatar
    Tom_Lauwereins_
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2018

    Hello,

    I want to do a custom post with IPv4 but can't get it to work. I used a VIP on the APM itself with a serverssl. The pool members is the AAA authentication server. 

    ltm virtual vs_smsapi_test {
    destination 172.29.100.12:http
    ip-protocol tcp
    mask 255.255.255.255
    pool pool_smsapi_test
    profiles {
        http { }
        serverssl {
            context serverside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 80
}

ltm pool pool_smsapi_test {
    members {
        212.113.89.36:https {
            address 212.113.89.36
            session monitor-enabled
            state up
        }
    }
    monitor https

apm aaa http /andrei/otp_smsapi {
    auth-type custom-post
    content-type url-encoded-utf8
    custom-body "{\"recipient_phone_number\":\"%{session.logon.last.username}\",\"message\":\"%{session.logon.last.password}\",\"priority\":\"high\"}"
    form-action /api/sms/
    headers {
        header0 {
            name Content-Type
            value application/json
        }
        header1 {
            name Authorization
            value "Basic xxxxxxx"
        }
    }
    partition andrei
    start-uri http://172.29.100.12
    success-match-type string
    success-match-value id
}
    net self Vlan400 {
    address 172.29.100.3/16
    traffic-group traffic-group-local-only
    vlan vlan400
}

    When testing the connection from another PC to the APM enabled VIP I don't see any traffic via a tcpdump leaving from the vlan400 interface and get this in the apm logs:

    Jan 23 17:21:24 BIGIP-C debug apd[16514]: 01490000:7: modules/Authentication/Http/HttpModule.cpp func: "doHttpHeaderBasedAuth()" line: 115 Msg: a933e480: HTTP module: doHttpHeaderBasedAuth(): URL: http://172.29.100.12/api/sms
Jan 23 17:21:24 BIGIP-C err apd[16514]: 01490138:3: a933e480: HTTP module: authentication with 'test' failed: Curl perform failed: Failure when receiving data from the peer  (56)
Jan 23 17:21:24 BIGIP-C debug apd[16514]: 01490111:7: a933e480: HTTP module: authenticateUser(): Curl perform failed: Failure when receiving data from the peer (56)

    But the strange part is that I don't see any traffic leaving towards 172.29.100.12? Any ideas?